Community discussions

 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

QinQ VLAN's Help needed

Sun Jun 10, 2018 8:28 pm

I am treading in waters I have not done before and it is a semi live network, so I need to get my ducks in a row, below is what I need:

Cust 1 ---- C-Vlan 10 -----
\
Cust 2 ---- C-Vlan 20 -------\--- CCR1036 -- S-Vlan 50 ---- Co Loc for ISP's
/
Cust 3 ---- C-Vlan 30 ---- /

Customers coming in on their relevant Vlan's to the CCR1036, then encapsulate the C-Vlan's into one Service Vlan to the co location where the S-Vlan will be stripped again and then be routed accordingly to the relevant ISP based on original Vlan's.

I have read somewhere on the Wiki that only "initial" support for this is available on bridges from 6.43RC14 I think it was (can't find it now). I have some concerns running Release Candidate versions in production.

Is above possible at the moment without running RC version, if so, can you provide some guidance on how I can achieve this?

Thanking you in advance
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed  [SOLVED]

Sun Jun 10, 2018 9:34 pm

So you want it like this, right?
Ethernet II, Src: Routerbo_78:5a:37 (64:d1:54:78:4a:37), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
IEEE 802.1ad, ID: 50
    000. .... .... .... = Priority: 0
    ...0 .... .... .... = DEI: 0
    .... 0000 0011 0010 = ID: 50
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 10
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0000 1010 = ID: 10
    Type: ARP (0x0806)
Address Resolution Protocol (request)
I haven't tried yet, but from what the wiki says, the "initial support of QinQ" is relevant to using vlan-filtering on frames with 802.1ad tags on a bridge, so unless you need a bridge hosting several s-vlans, you don't need that feature. So if you want to avoid rc in production and you have enough CPU for adding the s-tag using /interface vlan, it is possible to do it the following way:
                 bridge-x
ether1---tag(c10)===|
ether2---tag(c20)===|---s-vlan50===ether4
ether3---tag(c30)===|
(--- ... tagless side, === ... tagged side)
i.e.
/interface vlan
add interface=ether4 name=s-vlan50 use-service-tag=yes vlan-id=50

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan50
add bridge=bridge-x interface=ether1 pvid=10
add bridge=bridge-x interface=ether2 pvid=20
add bridge=bridge-x interface=ether3 pvid=30

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,s-vlan50 untagged=ether1 vlan-ids=10
add bridge=bridge-x tagged=bridge-x,s-vlan50 untagged=ether2 vlan-ids=20
add bridge=bridge-x tagged=bridge-x,s-vlan50 untagged=ether3 vlan-ids=30
I haven't tested it completely, so be careful.

Of course if the CCR already gets c10,c20,c30 tagged in a single trunk, all you need is
      bridge-x
ether1===|---s-vlan50===ether4
so all shrinks down to just
/interface vlan
add interface=ether4 name=s-vlan50 use-service-tag=yes vlan-id=50

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan50
add bridge=bridge-x interface=ether1

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan50 vlan-ids=10,20,30
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 295
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:04 am

I am treading in waters I have not done before and it is a semi live network, so I need to get my ducks in a row, below is what I need:

Cust 1 ---- C-Vlan 10 -----
\
Cust 2 ---- C-Vlan 20 -------\--- CCR1036 -- S-Vlan 50 ---- Co Loc for ISP's
/
Cust 3 ---- C-Vlan 30 ---- /

Customers coming in on their relevant Vlan's to the CCR1036, then encapsulate the C-Vlan's into one Service Vlan to the co location where the S-Vlan will be stripped again and then be routed accordingly to the relevant ISP based on original Vlan's.

I have read somewhere on the Wiki that only "initial" support for this is available on bridges from 6.43RC14 I think it was (can't find it now). I have some concerns running Release Candidate versions in production.

Is above possible at the moment without running RC version, if so, can you provide some guidance on how I can achieve this?

Thanking you in advance
QinQ is fine for this. However we have only used CCR's for this. We have not tried it in the CRS platforms.
BUT, what happens when you need more than one S-tag?

e.g C-tag 10, 20, 30 to S-tag 100
and
C-tag 11,21,31 to S-tag 101

Then you need Selective q-in-q if it needs to be done on the same uplink interface.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:26 am

This can be obtained using vlan-filtering on the bridge hosting the c-vlans and two s-vlan interfaces:
/interface vlan
add interface=ether4 name=s-vlan-100 use-service-tag=yes vlan-id=100
add interface=ether4 name=s-vlan-101 use-service-tag=yes vlan-id=101

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan-100
add bridge=bridge-x interface=s-vlan-101
add bridge=bridge-x interface=ether1

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan100 vlan-ids=10,20,30
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan101 vlan-ids=11,21,31
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 295
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:33 am

This can be obtained using vlan-filtering on the bridge hosting the c-vlans and two s-vlan interfaces:
/interface vlan
add interface=ether4 name=s-vlan-100 use-service-tag=yes vlan-id=100
add interface=ether4 name=s-vlan-101 use-service-tag=yes vlan-id=101

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan-100
add bridge=bridge-x interface=s-vlan-101
add bridge=bridge-x interface=ether1

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan100 vlan-ids=10,20,30
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan101 vlan-ids=11,21,31
Strange - this is from Mikrotik support 3 weeks ago.

"At the beginning it is planned to have one s-tag for all c-tags on port.
Selective tagging might be possible later using Switch Chip ACL rules or by another implementation."
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:46 am

Strange - this is from Mikrotik support 3 weeks ago.
"At the beginning it is planned to have one s-tag for all c-tags on port.
Selective tagging might be possible later using Switch Chip ACL rules or by another implementation."
Yes, on port. But my suggestion uses two different ports, on one of them only the c-vlans 10,20,30 are permitted by the vlan-filtering rule, and on the other one only the c-vlans 11,21,31.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 295
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 11:00 am

But my suggestion uses two different ports, on one of them only the c-vlans 10,20,30 are permitted by the vlan-filtering rule, and on the other one only the c-vlans 11,21,31.
Ok which is not ideal in all cases, unless ALL your switches can do this.

e.g Switch A (some other brand or such - managed switch but no q-in-q) - one uplink to switch B (mikrotik) - and then to switch C (Mikrotik) - handover point.
So on switch B you wont be able to say c-tag 10-30 goes to s-tag 100 and c-tag 40-100 goes to s-tag 120.

But either way - nice to know Mikrotik supports it and maybe one day can do the above.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 12:17 pm

which is not ideal in all cases, unless ALL your switches can do this.

e.g Switch A (some other brand or such - managed switch but no q-in-q) - one uplink to switch B (mikrotik) - and then to switch C (Mikrotik) - handover point.
So on switch B you wont be able to say c-tag 10-30 goes to s-tag 100 and c-tag 40-100 goes to s-tag 120.

But either way - nice to know Mikrotik supports it and maybe one day can do the above.
Sorry, I didn't get your point here. How Mikrotik's "more native" support of this "selective tagging" than using the setup I've suggested would change the fact that the other vendor's equipment cannot do it? And, to extend my mental horizon, what would be the application scenario?

The usual application scenario is that the ISP provides L2 WAN service to several unrelated customers and uses s-vlans to isolate from one another the traffic of these customers, which comes as trunks of c-vlans. In such arrangement, there is little use for c-vlan to s-vlan mapping inside the ISP's network, the traffic is normally s-tagged on the border switch, port-based.

Already @CZFan's application scenario is quite far from typical, as he
  1. uses c-vlans to isolate his customers from one another instead of s-vlans (but that's exactly what saves him from the need to use rc which would be needed to support vlan-filtering of s-vlans), and
  2. hands over the result already s-tagged to his carrier ISP while the usual approach is that the carrier ISP s-tags the traffic on their own equipment.
Your scenario is even more unusual, as you take several c-vlans and want to map groups of them to different s-vlans, and on top of that you seem to want to change that mapping on an intermediate equipment.

Can you give a practical example where this would be purposeful?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 295
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 12:43 pm

which is not ideal in all cases, unless ALL your switches can do this.

e.g Switch A (some other brand or such - managed switch but no q-in-q) - one uplink to switch B (mikrotik) - and then to switch C (Mikrotik) - handover point.
So on switch B you wont be able to say c-tag 10-30 goes to s-tag 100 and c-tag 40-100 goes to s-tag 120.

But either way - nice to know Mikrotik supports it and maybe one day can do the above.
Sorry, I didn't get your point here. How Mikrotik's "more native" support of this "selective tagging" than using the setup I've suggested would change the fact that the other vendor's equipment cannot do it? And, to extend my mental horizon, what would be the application scenario?

The usual application scenario is that the ISP provides L2 WAN service to several unrelated customers and uses s-vlans to isolate from one another the traffic of these customers, which comes as trunks of c-vlans. In such arrangement, there is little use for c-vlan to s-vlan mapping inside the ISP's network, the traffic is normally s-tagged on the border switch, port-based.

Already @CZFan's application scenario is quite far from typical, as he
  1. uses c-vlans to isolate his customers from one another instead of s-vlans (but that's exactly what saves him from the need to use rc which would be needed to support vlan-filtering of s-vlans), and
  2. hands over the result already s-tagged to his carrier ISP while the usual approach is that the carrier ISP s-tags the traffic on their own equipment.
Your scenario is even more unusual, as you take several c-vlans and want to map groups of them to different s-vlans, and on top of that you seem to want to change that mapping on an intermediate equipment.

Can you give a practical example where this would be purposeful?
It's great that Mikrotik supports it, but there are scenarios where selective q-in-q in certain networks is needed. Not Mikrotik's fault as I do realise it is an unusual setup.

e.g say you have 100 buildings - and use a different brand of switch. Why? Well maybe until very recently Mikrotik had no multi ( > 24 port) SFP switches or 48 port ethernet switches. One would not want to replace them all, and they do not support q-in-q. One would simply tag the various ports and then install one "master" Mikrotik switch which can do selective q-in-q.

Why would you want to do this? Maybe to enable open access on your own network.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 9:52 pm

Thank you sindy, all
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Sun Jun 17, 2018 8:35 pm

If I may throw in another curve ball, I am new to the "Nuts & Bolts" of Vlan, so please bear with me.

Have a MT CCR with ether1 as a routed port (Stand alone, not part of a bridge / switch group)
Attach Vlan 10 to ether1, and attach vlan's 20, 30 & 40 to vlan 10, creating QinQ

Ether2 - ethernth in a bridge
Configure bridge for Vlan filter=yes
In Bridge Vlan, ether2 to ether5 & bridge tagged for vlan-ids=20,30,40

Trying to get frames coming in tagged on ether2 - 5 with vlan id ether 20, or 30 or 40, tag must stay on frame and go out via relevant vlan 20, 30 or 40, tunneled into vlan 10 out on ether1?

Hope it makes sense
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sun Jun 17, 2018 8:48 pm

Drawings are better, but I assume you want ether1 to carry the QinQ frames where VID 10 is the outer one (service-vlan, or S-vlan, ethertype 0x88a8) and VID 20,30,40 are the inner ones (customer-vlan, C-vlan, ethertype 0x8100). If so, the method suggested above is still valid, just modify the picture (and configuration) from
      bridge-x
ether1===|---s-vlan50===ether4
to
     bridge-vlan
ether2===|
ether3===|---s-vlan10===ether1
ether4===|
ether5===|
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Sun Jun 17, 2018 10:16 pm

@sindy, thank you very much. Apologies, was in a rush, but you are 100% correct, drawings will make it more clear, so below drawing and explanation, also explaining how I see it, so please correct me if I am wrong.

Vlans coming into CCR already tagged for 20, 30 & 40.
CCR is configured:
- ether1 is stand alone, router port, not part of any switch group / bridge, used for routing to WAN.
--- on ether1 I have vlan 10 attached to ether1 and vlan's 20, 30, 40 attached to vlan 10 (QinQ Tunneling)
- ether 2 - ether4 configured as part of a bridge
--- under /bridge vlan, I have selected the bridge, with Vlan-Ids=20, 30, 40, tagged=bridge, ether2, ether3, ether4 and untagged=none

So if my understanding is correct, packets/frames will come into the CCR already tagged by CPE devices with relevant ISP Vlan ID, as they come into bridge via ether2, 3 & 4, they will remain tagged, go out of the bridge still tagged, will then be encapsualted with vlan 10, go accross WAN linek, get to Co-Loc, Vlan 10 gets stripped and based on the Vlan tag remaining, will be routed to relevant ISP.

I am of the understanding that if I do the above, it remains 802.1Q (ethertype 0x8100), should I enable the "use service tag", it will become 802.1ad (ethertype 0x88a8), is my understanding correct?
If so, will it work on 802.1Q?
QinQ VLAN.JPG
You do not have the required permissions to view the files attached to this post.
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 12:05 am

I have not tried an actual QinQ, only "Qinad", but I don't see why it should not work with the outer tag being a Q one (0x8100, use-service-tag=no).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 7:57 pm

I cant get above working, anyone that can offer help, please
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:18 pm

I have not tried an actual QinQ, only "Qinad", but I don't see why it should not work with the outer tag being a Q one (0x8100, use-service-tag=no).
yes, in some cases Q-in.Q works, in other cases you have to do Q-in-ad
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:21 pm

I have not tried an actual QinQ, only "Qinad", but I don't see why it should not work with the outer tag being a Q one (0x8100, use-service-tag=no).
yes, in some cases Q-in.Q works, in other cases you have to do Q-in-ad

I will try that in lab quickly, thx
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:25 pm

Just to be clear what I am trying to achieve, I want tagged vlans coming into a bridge, that must then go out of a routed interface still tagged, the routed interface is not part of the bridge, is that possible?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:50 pm

Just to be clear what I am trying to achieve, I want tagged vlans coming into a bridge, that must then go out of a routed interface still tagged, the routed interface is not part of the bridge, is that possible?
i think one way to do it is:

ether going to collocation with vlan and vlan in vlan interfaces

ether going in the other direction with vlan interfaces

make a bridge for each tagged vlan and add to that bridge as ports corresponding, for example:

bridge-20: ports: vlan20 ether1. vlan 20 ether2, vlan 20 ether3

in that way for each vlan
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 9:03 pm

Just to be clear what I am trying to achieve, I want tagged vlans coming into a bridge, that must then go out of a routed interface still tagged, the routed interface is not part of the bridge, is that possible?
Now wait a bit. So you want that a packet comes in via VLAN 20 on interface A, gets routed (i.e. not bridged) to VLAN20 on interface B? So the IP subnet living in VLAN 20 on interface A is a different one than the IP subnet living in VLAN 20 on interface B (let's leave QinQ aside for the moment)?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 9:50 pm

I am treading in waters I have not done before and it is a semi live network, so I need to get my ducks in a row, below is what I need:

Cust 1 ---- C-Vlan 10 -----
\
Cust 2 ---- C-Vlan 20 -------\--- CCR1036 -- S-Vlan 50 ---- Co Loc for ISP's
/
Cust 3 ---- C-Vlan 30 ---- /

Customers coming in on their relevant Vlan's to the CCR1036, then encapsulate the C-Vlan's into one Service Vlan to the co location where the S-Vlan will be stripped again and then be routed accordingly to the relevant ISP based on original Vlan's.

I have read somewhere on the Wiki that only "initial" support for this is available on bridges from 6.43RC14 I think it was (can't find it now). I have some concerns running Release Candidate versions in production.

Is above possible at the moment without running RC version, if so, can you provide some guidance on how I can achieve this?

Thanking you in advance
Are the customers behind the same physical interface?
What's on the other end of the CCR, a Mikrotik, Cisco...?
The CCR only acts as a L2 bridge for customers VLANs and S-Vlan them upstream?
Last edited by peson on Mon Jun 18, 2018 9:57 pm, edited 1 time in total.
Reboot is the last resort, try to find out what's wrong instead.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 9:57 pm

@chechito, thx, but tried that, then I can get the the Vlan20 on the far side router, but no devices behind it

Here is exports of what I have done so far in my lab, maybe it will make more sense:

Router1:
# jan/02/1970 00:44:46 by RouterOS 6.42.3

#
# model = RouterBOARD 931-2nD

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=bridge-vlan20 vlan-id=20
add interface=ether1 name=vlan10 use-service-tag=yes vlan-id=10
add interface=vlan10 name=vlan10-vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=20
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.20.1/24 interface=bridge-vlan20 network=10.10.20.0
/system routerboard settings
set silent-boot=no
Router2:
# jan/02/1970 00:45:18 by RouterOS 6.42.3

#
# model = 951Ui-2HnD

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=bridge-vlan20 vlan-id=20
add interface=ether1 name=vlan10 use-service-tag=yes vlan-id=10
add interface=vlan10 name=vlan10-vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=20
/ip address
add address=10.0.0.2/24 interface=bridge1 network=10.0.0.0
add address=10.10.10.2/24 interface=vlan10 network=10.10.10.0
add address=10.10.20.2/24 interface=bridge-vlan20 network=10.10.20.0
/system routerboard settings
set silent-boot=no
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:30 pm

Those configs won't work for you.
Please, try to explain the whole chain of what you're trying to achieve.
Review my questions above.
Is it something like this:
Cust2 -- untagged -- CCR:ether2 -- some core -- tagged 20@ISP router
Reboot is the last resort, try to find out what's wrong instead.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:46 pm

Those configs won't work for you.
Please, try to explain the whole chain of what you're trying to achieve.
Review my questions above.
Is it something like this:
Cust2 -- untagged -- CCR:ether2 -- some core -- tagged 20@ISP router
@peson, did you read my post, viewtopic.php?f=2&t=135504&p=669035#p668784
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:49 pm

@CZfan, can you respond to post #20?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:58 pm

@CZfan, can you respond to post #20?
@sindy, my answer to that was post 22, with the lab config, I just tried with untagged, as I do not have equipment to provide tagged data

In a nutshell, from CPE comes tagged with vlan20 to CCR (Bridge) then out with Vlan20 still tagged, gets tunneld into vlan10 and out of ether1 to other side. Ether1 is not poart of bridge, but a stahndalone port on the CCR.

Make sense?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:59 pm

@sindy, apologies, accidentally accepted your last post as solved, meant to click on quotation marks to quote your post
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:05 pm

Those configs won't work for you.
Please, try to explain the whole chain of what you're trying to achieve.
Review my questions above.
Is it something like this:
Cust2 -- untagged -- CCR:ether2 -- some core -- tagged 20@ISP router
@peson, did you read my post, viewtopic.php?f=2&t=135504&p=669035#p668784
Sorry, wasn't logged in the first time, so I couldn't see the drawing.
So it's a L2 configuration you need.
Is the Co-Loc an MT or some other equipment?
Reboot is the last resort, try to find out what's wrong instead.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:08 pm

@peson, Sorry, cant answer for equipment other side, I asked numerous occasions but still did not get answer, have meeting with collocation engineers in the morning at 10:00
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:13 pm

@peson, Sorry, cant answer for equipment other side, I asked numerous occasions but still did not get answer, have meeting with collocation engineers in the morning at 10:00
But they request you to have a s-vlan 10 carrying the customers inside with c-vlan 20, 30 and 40?
Reboot is the last resort, try to find out what's wrong instead.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:16 pm

@peson, correct, it is a deployment / project that i got involved late, asked info and got very little, i.e. network design, etc
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:21 pm

@peson, correct, it is a deployment / project that i got involved late, asked info and got very little, i.e. network design, etc
Do you need to interfere with the customers vlans on layer 3. or is it only L2 tunneling you need.?
Any queuing or shaping involved?
Reboot is the last resort, try to find out what's wrong instead.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:26 pm

@sindy, my answer to that was post 22, with the lab config, I just tried with untagged, as I do not have equipment to provide tagged data
In a nutshell, from CPE comes tagged with vlan20 to CCR (Bridge) then out with Vlan20 still tagged, gets tunneld into vlan10 and out of ether1 to other side. Ether1 is not poart of bridge, but a stahndalone port on the CCR.
Make sense?
I must be missing some point. I don't understand what "routed interface" means, that's the first point.

When talking about QinQ (or "Qinad"), we normally stay in the L2 domain, no routing is related.

In one of my first posts, there is a Wireshark dissection of a frame created using the configuration I've suggested - the tagless side of a local /interface vlan has an IP configuration attached to it, the tagged side of that /interface vlan uses bridge-x as its carrier interface and has use-service-tag set to no, so it adds 802.1Q tags to the frames coming to its tagless side before forwarding them to the bridge. Then, the tagless side of another /interface vlan is made a member port of bridge-x, that /interface vlan uses ether1 as the carrier interface at its tagged side and has use-service-tag set to yes, so it takes already 802.1Q tagged frames from bridge-x and adds 802.1ad tags to them before sending them out via ether1.

I've dissected an ARP packet because I did not configure a second 'Tik the same way, so I could not generate any other than ARP traffic (I've pinged an address in the same subnet to which the IP address attached to the first /interface vlan belongs, so the router generated an ARP packet to determine that address, and that's the packet I've sniffed and dissected).

Neither of your configuration exports matches this, plus you have attached IP configuration to the /interface vlan with pvid=10.

So no, for me the configuration export in post #22 did not clarify your intention, and was not an answer to my question in post #20.

If the intention is to take frames already tagged with 802.1Q tag with VIDs 20,30,40 and just tag them one more time with VID 10 (no matter whether with an 802.1Q or 802.1ad tag) before sending them towards the colocation, my configurations from post #2 do exactly that; if the intention is different, describe how the frame should look when it comes in to the CCR from the left side and how the frame should look like when it goes out to the right side, and whether you expect it to be routed inside the CCR.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:48 pm

@sindy, what I mean by "routed Interface"

Take any MT router, lets say Hap AC Lite, usually you will configure ether 2 - 5 as members of a bridge, then ether 1 will be your WAN port.
Now imagine you have a VoIP phone and your SIP provider is connected to your ISP, but on Vlan 20, but your ISP requires you to send that Vlan 20 accross your WAN port tunneled into Vlan 10.
So you configure on the VoIP phone itself that it must use Vlan 20, so the phone will come into your bridge on your Hap AC Lite as tagged with vlan 20, must then be encapsualted / tunneled into Vlan 10 and out on the WAN port to your ISP.
At your ISP, the ISP will then decapsulate / strip Vlan 10, which will leave only Vlan 20 on the packet. The ISP sees, ahhh, Vlan 20 belongs to SIP Provider 1, send the packet to them
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 12:18 am

What you describe is still a mere bridging with QinQ and has nothing to do with routing, so my suggestion from post #2 should work.

Falling asleep, let's see what those guys tell you tomorrow at ten.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 12:28 am

What you describe is still a mere bridging with QinQ and has nothing to do with routing, so my suggestion from post #2 should work.

Falling asleep, let's see what those guys tell you tomorrow at ten.
Thx sindy, yes, will revert back tomorrow, also falling asleep here
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 4:52 am

This might be helpful:
/interface bridge
add name=br-QinQ vlan-filtering=yes
/interface vlan
add interface=ether1 name=vl10-QinQ use-service-tag=yes vlan-id=10
/interface bridge port
add bridge=br-QinQ interface=vl10-QinQ
add bridge=br-QinQ interface=ether2
add bridge=br-QinQ interface=ether3
add bridge=br-QinQ interface=ether4
/interface bridge vlan
add bridge=br-QinQ tagged=vl10-QinQ,ether2,ether3,ether4 vlan-ids=20,30,40
Use horizon values if you need to block traffic between customers.
If you need L3 termination in the CCR you have to add the vlan interfaces (/interface vlan add...)and the bridge itself in tagged vlan list.
Reboot is the last resort, try to find out what's wrong instead.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 8:11 pm

@sindy, @peson, thx for your feedback so far.

Info received after meeting today, the other side is apparently a Cisco ASR1002,

Today we have cut over to an additional / new layer 2 fibre link so all is currently working via that link. I have been told the older / existing link is also suppose to be a layer 2 link, so I am not sure why they originally configured ether1 as a "routed / WAN" interface. From my understanding, with the info supplied now, it should be a lot easier, as I can configure the CCR as a switch, i.e. bridge all ports, then the vlan issue becomes a bit simpler.

I will test in my lab tonight and take from there
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 2:42 pm

@sindy, thank you, your solution in post #2 worked, the reason I could not get it to work was I used my youngest son's laptop on the other end of my lab setup. Seems the OS on that laptop is broken and I am unable to ping it, not even directly from the router it connected to, hence I thought QinQ tunneling was not working when I tried to ping it from my laptop via QinQ setup.
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 3:33 pm

It may not even be broken, many embedded firewalls do not respond to pings by default in "unknown" networks. I was quite confident it did work as my test has confirmed it, so I was expecting some misconfiguration rather than a mistake of the concept.

But this @peson's remark is worth considering given the application case you've described:
Use horizon values if you need to block traffic between customers.
I mean, if the c-vlans are used to connect customers' networks to different VoIP providers which possibly use their own private address spaces to avoid NAT-related problems, it makes sense to permit only traffic between the VoIP provider's access point and the customers but not from one customer to another.


Off topic, two weeks ago I've obtained a pair of glasses after all and it does make a difference :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 5:44 pm

Yes, I should give credit where due, thank you @peson, will definitely implement "horizon" config.

@sindy, I have disabled firewall on his laptop, still could not ping it. Many games and crap on that laptop...

off topic, whose name did I spell wrong this time... :-)
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 6:12 pm

Off topic, no victims this time, I've just used this topic to deliver the update because it is yours and solved :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 7:14 pm

off topic, FYI, I am at the stage already where I have 2 pairs of glasses, one for every day use and another for reading, it definitely helps, but unfortunately not in all scenarios :-(

@peson, I read up a bit more on the horizon (I just wonder why these things are not covered in training / certification classes) and yes, will definitely use it.
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 9:39 pm

Split horizon is covered in the MTCINE training (https://mikrotik.com/pdf/MTCINE_Outline.pdf)
I teaching it in the MTCNA classes I have since it's a very useful feature when configuring port isolation which is common used in ISPs networks.

Of topic:
I still have only one pair of glasses, but I need to take them off when reading ;-)
Reboot is the last resort, try to find out what's wrong instead.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 9:51 pm

Split horizon is covered in the MTCINE training (https://mikrotik.com/pdf/MTCINE_Outline.pdf)
I teaching it in the MTCNA classes I have since it's a very useful feature when configuring port isolation which is common used in ISPs networks.

Of topic:
I still have only one pair of glasses, but I need to take them off when reading ;-)
Aaahhhh, that's good to know, if all works out well, I will be attending MTCINE end July 2018. Sounds like an awesome course looking at outline, very excited
MTCNA, MTCTCE, MTCRE & MTCINE
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Fri Apr 12, 2019 1:16 pm

Hi there,

I'm looking for a qinad solution aswell. Currently I'm running 2 x CRS317 with a metro vlan provider in between them. There are several vlans on both sides that require to be connected by the s-vlan together. I'm running the vlan aware bridge configuration on both CRS'es. Some of the vlans are entering the device as tagged and some as untagged. The complex part is ether4. I thought it would be a good idea to create seperate bridges, but ether4 cant be attached to both bridges at the same time. See also attached image.
802.1ad-example.png
Anyone got a configuration suggestion / example?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Fri Apr 12, 2019 9:41 pm

I'm afraid none of the currently available Mikrotik products can fulfil your requirement completely in hardware without using crude hacks, at least because you need to add/remove two tags on the path between ether2 and ether4, whilst all the bridge implementations cannot add more than one tag on ingress and remove more than one tag on egress. So if you need to make use of the 10 Gbit/s bandwidth of the uplink, you may have to stack two CRS317, unless the partitioning of the switch chip and VLAN filtering is so good that you can connect together two ports of the same switch belonging to different partitions without creating a forwarding loop (you need per-VLAN forwarding tables in the switch chip as a minimum, plus you probably need that no VLAN ID is used for both a C-VLAN and an S-VLAN as the switch chip likely only uses the VID as an index to the table, not the tag type).

The topology would be the following:

ascii-art code

              S-bridge                     C-bridge A
                  ║                             ║
                  ║                             ║---access---
                  ║---access---~~~~~====trunk===║   PVID 10
      hybrid      ║  PVID=100        VID 10,20  ║
===VIDs 100,999===║                             ║===trunk====
     PVID=999     ║                             ║   VID 20
                  ║
                  ║                        C-bridge B
                  ║                             ║
                  ║---access---~~~~~====trunk===║===trunk====
                  ║  PVID=999          VID 30   ║   VID 30
C-bridge B is only necessary to prevent ingress of frames tagged with any other VID than 30 as S-bridge only cares about S-tags.

If you don't need the full 10 Gbit/s speed (actually even just 1 Gbit/s may be too much to expect), you can implement a similar topology using software bridges and see whether the CPU will cope with the traffic or not. In this case, instead of cables between ports, you would use /interface vlan:

/interface vlan
add name=vcable-a interface=s-bridge vlan-id=100 use-service-tag=yes
add name=vcable-b interface=s-bridge vlan-id=999 use-service-tag=yes


and make the tagless sides of these /interface vlan member ports of c-bridge-a and c-bridge-b respectively:

/interface bridge port
add bridge=c-bridge-a interface=vcable-a
add bridge=c-bridge-b interface=vcable-b
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Sat Apr 13, 2019 12:17 am

Hi there,

I'm looking for a qinad solution aswell. Currently I'm running 2 x CRS317 with a metro vlan provider in between them. There are several vlans on both sides that require to be connected by the s-vlan together. I'm running the vlan aware bridge configuration on both CRS'es. Some of the vlans are entering the device as tagged and some as untagged. The complex part is ether4. I thought it would be a good idea to create seperate bridges, but ether4 cant be attached to both bridges at the same time. See also attached image.

802.1ad-example.png

Anyone got a configuration suggestion / example?
Haven't looked into this in Mikrotik, but is tag stacking per port usable?
https://wiki.mikrotik.com/wiki/Manual:B ... g_Stacking
/Paul
Reboot is the last resort, try to find out what's wrong instead.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sat Apr 13, 2019 3:24 pm

is tag stacking per port usable?
I understand the description in the manual you refer to in such a way that tag-stacking=yes only makes the /interface bridge port handling ignore the already existing tags on the ingress frames even if the topmost ethertype of the ingress frame matches the ether-type of the bridge and always act as an access port, i.e. add another tag in front of the existing one on ingress. But still it is just a single tag to be added on ingress and removed on egress, not two. Whereas in his post above, @deepmedia asks for adding a C-tag 10 to tagless frames received at ether2 and then adding also an S-tag 100 before sending them out ether4, so two ingress crossings of bridge (or switch) border are required.

So a single bridge approach could only work if you could add two tags in a single ingress handling step, but the switch chip of the CRS317 doesn't provide such (rarely required) functionality in hardware, so even if it was implemented to the bridge, the throughput would still be limited by the CPU power and by the bandwidth of the internal connection between the switch part of the chip and the CPU's packet interface.

I suspect from the feature overview on the respective manual page that the switch chips used in CRS1xx/2xx can add both a C-tag and an S-tag in a single ingress step, but 1) I don't have a possibility to test this practically and 2) these devices have just up to two 10 Gbit/s ports so the bandwidth limitation might still affect @deepmedia's use case.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Tue Apr 16, 2019 2:27 am

Also on advice of MT support I decided to go with CVID tag stacking instead of c-vlan within s-vlan.

I build following config:
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes

/interface vlan
add interface=sfp-sfpplus1 name=vlan-gs-ser vlan-id=309
add interface=bridge name=vlan-mgmt vlan-id=20

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=vlan-gs-ser tag-stacking=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge comment=transport-gs-ser tagged=bridge,sfp-sfpplus1,vlan-gs-ser vlan-ids=309
add bridge=bridge comment=mgmt tagged=bridge,vlan-gs-ser,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,trunk-ccr2-crs2 vlan-ids= 20
Without tag-stacking option on the vlan-gs-ser port everything seem to work fine, but as soon as I enable tag stacking it got broken. Anyone got an idea?
 
peson
Trainer
Trainer
Posts: 180
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Tue Apr 16, 2019 8:51 am

Also on advice of MT support I decided to go with CVID tag stacking instead of c-vlan within s-vlan.

I build following config:
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes

/interface vlan
add interface=sfp-sfpplus1 name=vlan-gs-ser vlan-id=309
add interface=bridge name=vlan-mgmt vlan-id=20

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=vlan-gs-ser tag-stacking=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge comment=transport-gs-ser tagged=bridge,sfp-sfpplus1,vlan-gs-ser vlan-ids=309
add bridge=bridge comment=mgmt tagged=bridge,vlan-gs-ser,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,trunk-ccr2-crs2 vlan-ids= 20
Without tag-stacking option on the vlan-gs-ser port everything seem to work fine, but as soon as I enable tag stacking it got broken. Anyone got an idea?
I think you missundersstand the tag-stacking feature.
From the example on page: https://wiki.mikrotik.com/wiki/Manual:B ... g_Stacking
"What we want to achieve is that regardless what is being received on ether2 and ether3, a new VLAN tag will be added to encapsulate the traffic that is coming from those ports. What tag-stacking does is forces a new VLAN tag, so we can use this property to achieve our desired setup. We are going to be using the same configuration as in the Trunk/Access port setup, but with tag stacking enabled on the access ports:"
In your example, if 309 is the outer tag and sfp-sfpplus1 is the port to metro provider, it would be something like:
/interface bridge
add name=bridge vlan-filtering=yes ether-type=0x8100
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus6 tag-stacking=yes pvid=309 (outer tag)
add bridge=bridge interface=sfp-sfpplus7 tag-stacking=yes pvid=309 (outer tag)
add bridge=bridge interface=sfp-sfpplus8 tag-stacking=yes pvid=309 (outer tag)
...
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1 untagged=sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=309
In "/interface vlan" you only add the VLAN that needs to be processed by the CPU, not the switch chip.
Reboot is the last resort, try to find out what's wrong instead.
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Tue Apr 16, 2019 11:28 am

The main reason I didnt use pvid 309 on the endports is the fact we have untagged traffic that needs both an inner and outer vlan tag. Is there a way to double tag them? Or do you suggest to always tag all traffic on the Customers side?
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Tue Apr 16, 2019 1:30 pm

That's what I've tried to explain before in post #49 - it makes no difference whether you place an S-tag over an existing C-tag or whether you nest two C-tags, the real problem is that only a single tag can be added to a frame at ingress and none at egress, and just a single tag can be removed from a frame at egress and none at ingress. So when a tagless frame comes in through ether2, you can tag it with C-VID 10, but all the way to the wire connected to ether4 there is no place where you could add the other tag with S-VID or C-VID 100, unless you cascade two bridges as in my drawing.

If you can make all the customers send you only C-tagged frames, you'll be in a better position because you'll only need to add the outer tags, so in this case tag-stacking=yes will ensure that the existing C-tags of the ingress frames will be ignored and new C-tags will be added on ports configured as "untagged". But if you set the ether-type=0x88a8 on the bridge, you don't even need the tag-stacking=yes setting because the C-tags (0x8100) of ingress frames will be ignored because the bridge won't recognize frames with ethertype 0x8100 as tagged ones.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Tue Apr 16, 2019 1:36 pm

Sindy, that's exactly what I was already thinking. 1st of all I will start by making all my traffic towards and from our customers tagged. We'll see if that will work out. Thanks!

Verstuurd vanaf mijn Pixel 3 met Tapatalk

 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Fri Jun 07, 2019 11:49 pm

To get a workaround I bought 2 additional CRS317's (I needed them anyway)

I built the following setup:
Untitled.png

The upper CRS is configured using the following config:
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] speed=10Gbps
set [ find default-name=sfp-sfpplus16 ] speed=10Gbps
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=sfp-sfpplus1 pvid=309 tag-stacking=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus16
add bridge=bridge ingress-filtering=yes interface=ether1
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus16,ether1 vlan-ids=80
add bridge=bridge tagged=bridge untagged=sfp-sfpplus1 vlan-ids=10

The lower CRS got the following config::
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] speed=10Gbps
set [ find default-name=sfp-sfpplus16 ] speed=10Gbps
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan80 vlan-id=80
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus16
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus16 vlan-ids=80
/ip address
add address=1.1.1.1/24 interface=vlan10 network=1.1.1.0
add address=2.2.2.2/24 interface=vlan80 network=2.2.2.0

Whenever all cables are connected only the double tagged traffic gets forwarded to the wireshark (see image)
allportsenabled.png

When disconnect sfp1 cable the single tagged traffic gets forwarded (see image)
disconnectcablesfp1.png

Is there any workaround you guys might think of? The only requirement is the fact that single and double tagged traffic needs to be on the same cable (because of the carrier who is providing these vlans)

Thanks for your suggestions.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sat Jun 08, 2019 12:29 am

I'd have to see your setup hands-on (but I don't plan to drive by any time soon), but I think you are missing one basic thing about L2 - in addition to VLAN-tagged traffic, there are also VLAN-agnostic protocols running on switches, among which STP is the one which causes this issue. Whenever you connect two L2 devices together by more than a single logical link (a bond of several physical links behaves as a single logical link), you have to address the omission of the L2 protocol designers which is the absence of any TTL field in the L2 header. In another words, you have to prevent loops in the logical topology by dynamically disabling all logical links except one. So although you only permit one VLAN on the physical link between sfpplus1 and only permit another VLAN on the physical link between sfpplus16, the RSTP protocol which runs on the bridges by default still only permits one of these links to be active at a time whenever both are physically connected.

So setting protocol-mode at both bridges (upper and lower) to none might resolve your issue, but it may also cause a broadcast storm if eventually some frames leak the wrong way and loop back through the other link. So if this happens, you'll have to set up also split horizon, preventing any frame received on sfpplus1 from being sent out via sfpplus16 and vice versa, whereas ether4 on the upper CRS and any port except sfpplus1 and sfpplus16 on the lower CRS will be able to forward frames to/from both sfpplus1 and sfpplus16.

Other than that, I'm afraid that in order to make it work in both directions, the second row in /interface bridge vlan in the upper CRS configuration has to be changed to add bridge=bridge tagged=bridge untagged=sfp-sfpplus1 vlan-ids=309. The pvid parameter of /interface bridge port row controls the ingress handling; the position of the interface on the tagged or untagged list on the vlan-ids row in /interface bridge vlan controls the egress handling. For the upper CRS, VLAN 10 doesn't exist at all, it only knows about VLAN 309 and VLAN 80.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Sat Jun 08, 2019 8:27 am

Your suggestion turning off RSTP works... see image! Allthough I'm very excited to implement this on the network, on the other hand I am a little scared for broadcast storms as you suggested. Is there a way to verify / monitor this? And if this is the case, how to prevent it?

afterrstp-none.png

Oh and btw, In my previous post the last rule of the following config fell off by copy pasting, so current config about vlan statements is:
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus16,ether1 vlan-ids=80
add bridge=bridge tagged=bridge untagged=sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 vlan-ids=309
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sat Jun 08, 2019 12:06 pm

Your suggestion turning off RSTP works... see image! Allthough I'm very excited to implement this on the network, on the other hand I am a little scared for broadcast storms as you suggested. Is there a way to verify / monitor this? And if this is the case, how to prevent it?
Better to prevent it than to monitor :) Check this.

Oh and btw, In my previous post the last rule of the following config fell off by copy pasting, so current config about vlan statements is:
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus16,ether1 vlan-ids=80
add bridge=bridge tagged=bridge untagged=sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 vlan-ids=309
Replace the last two lines above by the single one I've suggested - add bridge=bridge tagged=bridge,ether1 untagged=sfp-sfpplus1 vlan-ids=309. As said, VLAN 10 is invisible to the upper CRS, it is just a payload inside VLAN 309 like any other.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Sat Jun 08, 2019 12:43 pm

In the configuration-to-be all ports will be added to a single bridge, with the protocol-mode set to none. No other bridges, no tagless or untagged (except for the stacked ones) will be accepted onto the switch. I am probably safe when all connections are managed and connected by myself :) By the way: it servers as a core/metro switch to connect the other datacentre to the primary one.

Current config of the upper one:
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus16,ether1 vlan-ids=80
add bridge=bridge tagged=bridge,ether1 untagged=sfp-sfpplus1 vlan-ids=309
Still working flawless. No loops (traffic still 0bps and cpu ilde)

Thanks for your support, appreciated greatly!
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sat Jun 08, 2019 3:13 pm

No other bridges, no tagless or untagged (except for the stacked ones) will be accepted onto the switch. I am probably safe when all connections are managed and connected by myself :)
Well, I'm not really sure how exactly the switch chip handles ingress frames which are not Ethernet II but 802.2 (i.e. the first two bytes following the MAC addresses represent frame size, not content type), i.e. whether it deems them "untagged" or rather "neither tagged nor untagged". And there are not just STP frames, some switch vendors use their proprietary frames for loop detection, which may take the long path provider_switch -> upperCRS.ether4 -> upperCRS.sfpplus1 -> lowerCRS.sfpplus1 -> lowerCRS.sfpplus16 -> upperCRS.sfpplus16 -> upperCRS.ether4 -> provider_switch and make the provider switch shut down the port. In worse case, the adjacent switch would not detect a loop and disable the port but frames which escape the ingress filtering would circulate there forever (as they have no TTL field to be used to count hops), gradually seizing all the bandwidth. Candidates are not just broadcast/multicast frames but also frames towards unicast MAC addresses from which an ingress frame never comes so the switch cannot associate them with a port.

So to prevent this from happening, the port isolation needs to be set at the more distant switch from the source (so against loop detection/eternally circulating frames coming from the provider switch, the lowerCRS needs to have sfpplus1 and sfpplus16 isolated from each other; against loop detection/eternally circulating frames coming from the customer switch, the upperCRS needs to have sfpplus1 and sfpplus16 isolated from each other).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Sat Jun 08, 2019 8:20 pm

@deepmedia
As a side note, I assume the 1.1.1.1, etc addresses are loopback addresses, anyway, personally I will stay away from them as they are routable on internet
MTCNA, MTCTCE, MTCRE & MTCINE
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Thu Jun 13, 2019 4:07 pm

Those we're used in a disconnected environment, no worries :)

Who is online

Users browsing this forum: Google [Bot] and 84 guests